MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add malware/ransomwares

pull/132/head
Deborah Servili 2017-12-08 15:45:44 +01:00
parent e1e110c454
commit 12e0af9fa2
2 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
clusters/ransomware.json
View File

@ -8634,12 +8634,42 @@
".fucku"
]
}
},
{
"value": "qkG",
"description": "Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/"
]
}
},
{
"value": "Scarab",
"description": "The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year.\nWritten in Delphi, the first version was simplistic and was recognizable via the \".scarab\" extension it appended after the names of encrypted files.\nMalwarebytes researcher Marcelo Rivera spotted a second version in July that used the \".scorpio\" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension.\nThe current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file's name with the \".[suupport@protonmail.com].scarab\" extension.\nScarab also deletes shadow volume copies and drops a ransom note named \"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT\" on users' computers, which it opens immediately.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
"https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/",
"https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware",
"https://twitter.com/malwrhunterteam/status/933643147766321152",
"https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/"
],
"extensions": [
".scarab",
".scorpio",
".[suupport@protonmail.com].scarab"
],
"ransomnotes":[
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT"
]
}
}
],
"source": "Various",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"name": "Ransomware",
"version": 4,
"version": 5,
"type": "ransomware",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
}

12
clusters/tool.json
View File

@ -10,7 +10,7 @@
],
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"version": 38,
"version": 39,
"values": [
{
"meta": {
@ -3083,6 +3083,16 @@
"HSDFSDCrypt"
]
}
},
{
"value": "wp-vcd",
"description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware's name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/",
"https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/"
]
}
}
]
}